Health systems, startups come together to create national standard for security assessments

Health systems, startups, and other stakeholders are banding together to create a series of standardized frameworks for innovators, starting with a standardized security assessment for business associate agreements.

The all-volunteer group, currently called the Digital Health Collaborative (the group plans to adopt an official name next year), was conceived at and first met at the HIMSS18 Global Conference in March. At this years CHC in Boston, they presented a progress report.

“It began from a place of frustration where a number of us would go to these conferences, we’d talk about the things that matter, and then in between those conferences we don’t continue that collaboration and that ability to work together,” Nick Dougherty, cofounder of the collaborative and managing director of MassChallenge HealthTech, told MobiHealthNews.

The security assessment project is a test run of what a group like the Digital Health Collaborative can do.

“In the same way that we’re building step by step for the collaborative, we’re going step by step for these projects,” Dougherty said. “Before you sign a business associate agreement [under HIPAA], a prerequisite is to do a security assessment. We felt that the assessment was the most standardizable, or maybe the least standardized, part of that process.”

What’s the impact?

In the process of collecting the data to create a standardized version, the collaborative has been reminded of just how nonstandard security assessments are now. They’ve collected 50 different examples and, Dougherty said, they’re all vastly different in both format and content.

“One common misconception is there is no such thing as HIPAA compliant,” Brigham and Women’s CIO Dr. Adam Landman said at the conference. “When we see seals on websites or products or people advertising HIPAA compliance, that doesn’t exist. There are certifications, but they don’t mean you’re HIPAA compliant. The way the regulations are written, it’s subjective and it’s subjective on purpose. We want to look at each individual innovation, understand what the risks are, and adopt the appropriate posture depending upon the risks and benefits of that product. That’s part of what makes this whole process challenging.”

This creates major problems for health startups that want to be secure, but don’t know the rules of the road until months into a partnership when that particular health system shares its assessment. Additionally, the disparity in standards suggests that many organizations might have holes in their security.

The group currently has a draft of 180 questions compiled from the examples they’ve received and the input of representatives from other organizations that chose not to share their assessments. They’re soliciting input from CISOs, startups, chief technology officers and security experts.

What’s the trend

In some sense, the Digital Health Collaborative is following in the footsteps of open-sourced software standards like FHIR. But instead of standardizing data formats, they’re aiming to standardize institutional processes — and security assessments are just the beginning. Eventually, the plan is to standardize the whole business associate agreement. And the collaborative has many additional goals beyond that.

Dougherty said the standard will hopefully be rolled out next year. His position at MassChallenge HealthTech will allow them to roll it out officially in Massachusetts, but they are hoping to secure volunteer adoption across the nation.

On the record

“Having a standard security assessment will not work unless you have near-universal adoption of the standard. With something like FHIR, you only needed a handful of EHRs. But for HIPAA policies, that’s a lot of organizations you need to align around. The two priorities are recruiting health systems and developing a really strong standard. We don’t want to pretend we have all the answers,” Dougherty said. “Our approach is get as many intelligent people poking holes in this as possible, so we have the most resilient standard that’s ever been created.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.